From a18e436b5d7cae5c2e7600ad30a7758ea079bb69 Mon Sep 17 00:00:00 2001 From: Stefan Hanreich Date: Fri, 19 Apr 2024 11:42:37 +0200 Subject: [PATCH] firewall: expose configuration option for new nftables firewall There's a new firewall implementation available as `proxmox-firewall` package, in contrast to the existing `pve-firewall` package it is using nftables directly, not the legacy iptables, and can thus leverage a modern stack with atomic updates, avoiding the need for different tools (e.g., ebtables), and not requiring intermediate firewall bridges to handle VM flow correctly. Additionally it's written in rust, making it more efficient and safer to change. The new implementation is using the same configuration file as source and should be mostly the same in semantic behavior, it basically is a drop-in replacement besides one known issue: There is currently one major issue that we still need to solve: REJECTing packets from the guest firewalls is currently not possible for incoming traffic (it will instead be dropped). This is due to the fact that we are using the postrouting hook of nftables in a table with type bridge for incoming traffic. In the bridge table in the postrouting hook we cannot tell whether the packet has also been sent to other ports in the bridge (e.g. when a MAC has not yet been learned and the packet then gets flooded to all bridge ports). If we would then REJECT a packet in the postrouting hook this can lead to a bug where the firewall rules for one guest REJECT a packet and send a response (RST for TCP, ICMP port/host-unreachable otherwise). While this is being addressed, and the whole stack is better tested in general, the new FW will be only enabled if the admin enables a boolean configuration which this patch exposes on the UI. Signed-off-by: Stefan Hanreich --- www/manager6/grid/FirewallOptions.js | 1 + 1 file changed, 1 insertion(+) diff --git a/www/manager6/grid/FirewallOptions.js b/www/manager6/grid/FirewallOptions.js index 0ac9979c..6aacb47b 100644 --- a/www/manager6/grid/FirewallOptions.js +++ b/www/manager6/grid/FirewallOptions.js @@ -83,6 +83,7 @@ Ext.define('PVE.FirewallOptions', { add_log_row('log_level_out'); add_log_row('tcp_flags_log_level', 120); add_log_row('smurf_log_level'); + add_boolean_row('nftables', gettext('nftables (tech preview)'), 0); } else if (me.fwtype === 'vm') { me.rows.enable = { required: true, -- 2.39.2